Analysis
-
max time kernel
119s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-04-2024 14:33
General
-
Target
tmp.exe
-
Size
48KB
-
MD5
d65c7a3cb25eb79571854b5fab17be35
-
SHA1
6c980e0357dea99771704f3f122d369d90fefd5f
-
SHA256
7d693069636a46d7d430ced104854e7a19da09fc0b1e9c43e6ac55ab52bd8eea
-
SHA512
bcd1a7598f1740e3838592c4a853e04caa78709a98454be0f8ab7cc2a4973c12e639192f676504ee97c7cbc6e34278011d998656ac8f81dccfc56e7455eb7678
-
SSDEEP
768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67VhPC:Ub1MsHz3JDwhyWr+N95OTga6u
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Creates a Windows Service
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SICK"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SICK"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SICK.exeC:\Windows\system32\SICK.exe "c:\windows\system32\259423609.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5aa4ed83fc3f6255e1617fe39541fb1f4
SHA1945c3ae4cb8eca8d2410a7e0cd4e30f27d76c1fb
SHA2568060755c7df499ccce82afa6adc0086c38540a01d2fb0b72b2488edcbe24e984
SHA512dcf5b167eda97c1a20397742851e676c0272354879d80646e8c0d4e9c5042b678bb44edd2e42825afc328becd31b75695c6adbca31e7c5c941e8923965ab30c2
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d